For today’s computing platforms, ease of access and openness is essential for web based communications and for lean resourced IT Management teams.

This is directly at odds for the increased necessity for comprehensive security measures in a world full of malware, hacking threats and would-be data thieves.

Most organizations will adopt a layered security strategy, providing as many protective measures for their IT infrastructure as are available – firewalls, sandboxes, IPS and IDS, anti-virus – but the most secure computing environments are those with a ‘ground up’ security posture.

If data doesn’t need to be stored on the public-facing Linux web server, then take it off completely – if the data isn’t there, it can’t be compromised.

If a user doesn’t need access to certain systems or parts of the network, for example, where your secure Ubuntu server farm is based, then revoke their privileges to do so – they need access systems to steal data so stop them getting anywhere near it in the first place.

Similarly, if your CentOS server doesn’t need FTP or Web services then disable or remove them. You reduce the potential vectors for security breaches every time you reduce means of access.

To put it simply, you need to harden your Linux servers.

Linux Hardening Policy background

The beauty of Linux is that it is so accessible and freely available that it is easy to get up and running with very little training or knowledge. The web-based support community places all the tips and tutorials you’ll ever need to carry out any Linux set-up task or troubleshoot issues you may experience.

Finding and interpreting the right hardening checklist for your Linux hosts may still be a challenge so this guide gives you a concise checklist to work from, encompassing the highest priority hardening measures for a typical Linux server.

Render these files safe by removing the SUID or SGID bits using chmod -s filename

You should also restrict access to all compilers on the system by adding them to a new ‘compilers’ group.

chgrp compilers *cc*

chgrp compilers *++*

chgrp compilers ld

chgrp compilers as

Once added to the group, restrict permissions using a chmod 750 compiler

Implement Regular/Real-Time FIM on Sensitive Folders and Files

File integrity should be monitored for all files and folders to ensure permissions and files do not change without approval.

Configure Auditing on the Linux Server

Ensure key security events are being audited and are forwarded to your syslog or SIEM server. Edit the syslog.conf file accordingly.

General Hardening of Kernel Variables

Edit the /etc/sysctl.conf file to set all kernel variables to secure settings in order to prevent spoofing, syn flood and DOS attacks.

NNT Change Tracker Enterprise provides an automated tool for auditing servers, firewalls, router and other network devices for compliance with a full range of hardened build checklists. Once a hardened build baseline has been established, any drift from compliance with the required build standard will be reported. To enhance security protection further, Change Tracker also provides system-wide, real-time file integrity monitoring to detect any Trojan, backdoor or other malware infiltrating a secure server. Request a Linux server hardening trial or demonstration.